Using .php8 in PHP handler leading to RCE #3615
Assignees
Comments
|
@passtheticket Thank you for your report. I will fix this. Until a fixed version is released, elFinder administrators can work around this issue by using 'additionalMimeMap' in the roots configuration, as follows: 'roots' => array(
// Items volume
array(
'additionalMimeMap' => array(
'php8:*' => 'text/x-php',
'php9:*' => 'text/x-php'
),
'driver' => 'LocalFileSystem', // driver for accessing file system (REQUIRED)
'path' => '../files/', // path to files (REQUIRED)
'URL' => dirname($_SERVER['PHP_SELF']) . '/../files/', // URL to files (REQUIRED)
'trashHash' => 't1_Lw', // elFinder's hash of trash folder
'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
'uploadDeny' => array('all'), // All Mimetypes not allowed to upload
'uploadAllow' => array('image/x-ms-bmp', 'image/gif', 'image/jpeg', 'image/png', 'image/x-icon', 'text/plain'), // Mimetype `image` and `text/plain` allowed to upload
'uploadOrder' => array('deny', 'allow'), // allowed Mimetype `image` and `text/plain` only
'accessControl' => 'access' // disable and hide dot starting files (OPTIONAL)
), |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
There is no restriction for uploading the file with the .php8 extension. I encountered this situation during penetration testing of a website that uses the elFinder.
In some environments, .php8 can be executed as PHP. Especially, when the PHP is updated from a lower version to 8.x, the .php8 can be added to the .htaccess file for PHP handling like:
In another case, .php8 can be executed as PHP according to following the Apache configuration.
To Reproduce
Steps to reproduce the behavior:
test<?php phpinfo();?>test.php8filesdirectoryExpected behavior
I think that the
php8can be added to thestaticMineMaparray in theelFinderVolumeDriverclass.Screenshots
The text was updated successfully, but these errors were encountered: